Bug#901795: cryptsetup-initramfs: please provide documented shell functions to validate/sanitize cryptroot entries in 3rd party hook files

Hi, On Thu, 09 Sep 2021 at 00:54:51 +0200, Christoph Anton Mitterer wrote: > I've just wondered whether the way you've mentioned above is still > valid respectively considered "stable" now (as it: for use by > keyscripts)? :-) Well we've never received any follow-up regarding a stable interface

Bug#994128: roundcube: search preference configuration setting for folder scope gets ignored

On Sun, 12 Sep 2021 at 09:57:06 -0400, Steve Dondley via Pkg-roundcube-maintainers wrote: > So it doesn't appear the a minified version of the code is the problem. It > just looks to me like app.min.js is using bad code and app.js is using good > code. app.min.js is generated at built time from

Bug#994128: roundcube: search preference configuration setting for folder scope gets ignored

On Sun, 12 Sep 2021 at 13:02:41 -0400, Steve Dondley via Pkg-roundcube-maintainers wrote: > That said, there must still be a bug because roundcube is supposed to > remember the search scope feature from the $_SESSION variable and it's not > doing that. Looking at the PHP code, roundcube is most

Bug#994128: roundcube: search preference configuration setting for folder scope gets ignored

On Sun, 12 Sep 2021 at 14:16:58 -0400, Steve Dondley via Pkg-roundcube-maintainers wrote: > What's the easiest way to get my hands on the original file from the > package? We don't have Debian-specific modification, so you can simply take it from upstream. $ curl -Ls

Bug#994128: roundcube: search preference configuration setting for folder scope gets ignored

Control: tag -1 moreinfo Hi, On Sun, 12 Sep 2021 at 08:19:10 -0400, Steve Dondley via Pkg-roundcube-maintainers wrote: > I set the $config['search_scope'] to a value of 'all' in the configuration > file so that the "Scope" field should default to "All folders." This feature > is broken. When

Bug#994128: roundcube: search preference configuration setting for folder scope gets ignored

On Sun, 12 Sep 2021 at 15:10:18 -0400, Steve Dondley via Pkg-roundcube-maintainers wrote: > On 2021-09-12 02:58 PM, Steve Dondley wrote: >>> Here is my version of app.js: >>> https://gist.github.com/sdondley/9db6dbffb8fb751c4afcd1092ab24fd0 >> >> Alright, so all confusion is from the fact that I

Bug#901795: cryptsetup-initramfs: please provide documented shell functions to validate/sanitize cryptroot entries in 3rd party hook files

On Sat, 11 Sep 2021 at 01:31:31 +0200, Christoph Anton Mitterer wrote: > I mean in a keyscript, CRYPTTAB_* are anyway already set for the > "current" target, right? > And in a initramfs hook, I anyway need to loop over all of them... or > at least I wouldn't have a particular (target) name to

Bug#994219: cryptsetup: support and/or document alternative location(s) for keyscripts

On Tue, 14 Sep 2021 at 15:06:22 +0200, Christoph Anton Mitterer wrote: > On Tue, 2021-09-14 at 12:50 +0200, Guilhem Moulin wrote: >> It ought to be documented though. > > Tell me when it helps you if I provide a patch for the manpage. That would have been welcome but I tweaked t

Bug#994219: cryptsetup: support and/or document alternative location(s) for keyscripts

Hi, On Tue, 14 Sep 2021 at 03:39:29 +0200, Christoph Anton Mitterer wrote: > AFAIK, keyscripts are always loaded from /lib/cryptsetup/scripts/, right? > > Likey the check= option, keyscript= should either support to specify a full > path and/or cryptsetup should support alternative location(s).

Bug#994446: roundcube-core: SMTP error message 'SMTP auth failed (250)'

On Thu, 16 Sep 2021 at 14:46:34 +0200, Olaf Zaplinski wrote: > Roundcube does authenticate to IMAP, but not to SMTP because it is not > needed on localhost. The default is to use SMTP AUTH on localhost:587. This is not an RC bug. >> Does adding >> >>     $config['smtp_user'] = ''; >>

Bug#994446: roundcube-core: SMTP error message 'SMTP auth failed (250)'

Control: tag -1 - moreinfo On Thu, 16 Sep 2021 at 15:42:16 +0200, Olaf Zaplinski wrote: > Yes, I added > > $config['smtp_user'] = ''; > $config['smtp_pass'] = ''; > > to config.inc-php, now it is working. Thank you! Great, thanks for the follow-up! The new default took effect a while back but

Bug#994610: cryptsetup: creation/cleanup of /etc/crypttab

On Sat, 18 Sep 2021 at 16:30:38 +0200, Christoph Anton Mitterer wrote: > On Sat, 2021-09-18 at 16:04 +0200, Guilhem Moulin wrote: >> src:cryptsetup isn't the only consumer of /etc/crypttab, so this is a >> wontfix. > > Who else uses it that can work without cryptsetup? System

Bug#994610: cryptsetup: creation/cleanup of /etc/crypttab

On Sat, 18 Sep 2021 at 17:04:41 +0200, Guilhem Moulin wrote: > I don't see why it makes more sense to og-rwx /etc/crypttab by default > compared to /etc/fstab or /etc/systemd/system. If that makes sense in > YOUR environment, then YOU are free to do it manually Note however that if c

Bug#994219: cryptsetup: support and/or document alternative location(s) for keyscripts

On Sun, 19 Sep 2021 at 02:12:18 +0200, Christoph Anton Mitterer wrote: > Did I observe correctly, and cryptroot places *any* keyscript into: > /lib/cryptsetup/scripts/ > ? No. How did you test this? -- Guilhem. signature.asc Description: PGP signature

Bug#994446: roundcube-core: SMTP error message 'SMTP auth failed (250)'

Hi, Control: severity -1 important Control: tag -1 moreinfo On Thu, 16 Sep 2021 at 09:29:49 +0200, Olaf Zaplinski via Pkg-roundcube-maintainers wrote: > Severity: grave > Justification: renders package unusable I disagree with that: I believe a typical Roundcube installation uses IMAP

Bug#901795: cryptsetup-initramfs: please provide documented shell functions to validate/sanitize cryptroot entries in 3rd party hook files

On Sat, 11 Sep 2021 at 17:12:17 +0200, Christoph Anton Mitterer wrote: > VALUE="$(printf '%b' "$VALUE")" > ###=> is this the place where you unescape? > ### then the documentation is wrong, casue %b doesn't only unescape octal > sequences, right? Not wrong in my view, but incomplete

Bug#901795: cryptsetup-initramfs: please provide documented shell functions to validate/sanitize cryptroot entries in 3rd party hook files

On Sat, 11 Sep 2021 at 17:12:17 +0200, Christoph Anton Mitterer wrote: >>> For which fields are the octal escapes handled? The manpage only >>> mentions them for them for the key/3rd field. >> >> My bad, it's supported in all fields. > > Are you going to correct it or shall I provide a patch for

Bug#901795: cryptsetup-initramfs: please provide documented shell functions to validate/sanitize cryptroot entries in 3rd party hook files

On Sat, 11 Sep 2021 at 18:31:33 +0200, Christoph Anton Mitterer wrote: > On Sat, 2021-09-11 at 18:06 +0200, Guilhem Moulin wrote: >> Not wrong in my view, but incomplete and using undocumented escape >> sequences yields unspecified behavior. > > Well the problem is simply

Bug#901795: cryptsetup-initramfs: please provide documented shell functions to validate/sanitize cryptroot entries in 3rd party hook files

On Sat, 11 Sep 2021 at 22:01:52 +0200, Christoph Anton Mitterer wrote: > Well then best is probably to e.g. document the \0xxx and mention that > any other use of \ needs to have that quoted or it may have a special > meaning? Right, that's what I was hinting at in

Bug#901795: cryptsetup-initramfs: please provide documented shell functions to validate/sanitize cryptroot entries in 3rd party hook files

On Sat, 11 Sep 2021 at 20:26:57 +0200, Christoph Anton Mitterer wrote: > On Sat, 2021-09-11 at 20:06 +0200, Guilhem Moulin wrote: >>   So either I misremembered testing >> this at the time, or something changed meanwhile :-)  I'd argue that >> ‘\’ >> is a special charac

Bug#996177: cryptsetup: please report fatal errors without having to use -v

Control: tag -1 moreinfo Hi, On Mon, 11 Oct 2021 at 22:09:07 +0200, Marc Lehmann wrote: > Specifically, the machine didn't have enough ram, probably because the > default algorithm (argon) requires more ram than the machine had. Could you please share the memory cost of the PBKDF, and also the

Bug#996177: cryptsetup: please report fatal errors without having to use -v

Control: found -1 2:2.1.0-5+deb10u2 On Tue, 12 Oct 2021 at 00:33:32 +0200, Guilhem Moulin wrote: > On Mon, 11 Oct 2021 at 22:09:07 +0200, Marc Lehmann wrote: >> Specifically, the machine didn't have enough ram, probably because the >> default algorithm (argon) requires more ram t

Bug#996181: cryptsetup-initramfs: Unable to use keyfile to decrypt rootfs

Control: severity -1 wishlist Hi, On Mon, 11 Oct 2021 at 22:28:31 +0200, Mateusz Jończyk wrote: > Currently, it is not possible to use a keyfile to decrypt the root > file system. I would like to use such a setup, so I'm attaching a > short patch for crypttab to make this work. IMHO this is too

Bug#995957: dbconfig-common: Spews "/usr/bin/which: this version of `which' is deprecated; use `command -v' in scripts instead."

Hi elbrus! On Sun, 10 Oct 2021 at 20:52:51 +0200, Paul Gevers wrote: > Thanks for the report. I had committed nearly the same change locally. > Can you elaborate why you removed some "2>&1" strings on top of that? AFAIK with some `which` implementations one wants to silence the standard error to

Bug#996655: updating database with dbconfig-no-thanks doesn't seem to work

On Sat, 16 Oct 2021 at 17:45:42 -0400, David Mandelberg via Pkg-roundcube-maintainers wrote: > $ sudo -u www-data /usr/share/roundcube/bin/update.sh > ERROR: Configuration error. Unsupported database driver: I suppose the command doesn't have RCUBE_CONFIG_PATH=/etc/roundcube in its environment.

Bug#996655: Processed: forcibly merging 996613 996655

Control: unmerge -1 Control: severity -1 normal On Sat, 16 Oct 2021 at 18:42:11 -0400, David Mandelberg wrote: > Why were these two merged? Read too fast. Sorry. -- Guilhem. signature.asc Description: PGP signature

Bug#996177: cryptsetup: please report fatal errors without having to use -v

On Thu, 14 Oct 2021 at 19:53:14 +0200, Marc Lehmann wrote: > On Tue, Oct 12, 2021 at 12:33:32AM +0200, Guilhem Moulin > wrote: >> Could you please share the memory cost of the PBKDF, > > I wouldn't know how to do that. `cryptsetup luksDump` >> of `free` just b

Bug#996177: cryptsetup: please report fatal errors without having to use -v

On Thu, 14 Oct 2021 at 20:48:51 +0200, Marc Lehmann wrote: > I reported this from another system, but both were recently upgraded to > bullseye. > > I know because I use kvm to see if the machine will actually boot (Cthus > the different memory setup) and the kvm in bullseye has a bug that makes

Bug#996505: cryptsetup: set CRYPTTAB_OPTION_tries for keyscripts when not explicitly set

On Thu, 14 Oct 2021 at 23:43:32 +0200, Christoph Anton Mitterer wrote: > I've noted that when there is no explicit tries=n in crypttab, that > CRYPTTAB_OPTION_tries isn't set either for the keyscripts. There is a 1:1 mapping between CRYPTTAB_OPTION_* and known options in crypttab's 4th column,

Bug#994056: cryptsetup: blkid check fails to take offset option into account

On Fri, 08 Oct 2021 at 15:12:58 +, Thorsten Glaser wrote: >>, so I completed your patch with 2373709bb461a71a7af46e7e9c59355fce63e52e. > > -blkid="$(/sbin/blkid -o value -s TYPE -p ${offset:+-O "$offset"} -- "$dev")" > +blkid="$(/sbin/blkid -o value -s TYPE -p ${offset:+-O "$((offset*512))"}

Bug#995957: dbconfig-common: Spews "/usr/bin/which: this version of `which' is deprecated; use `command -v' in scripts instead."

ysql >/dev/null;` causes roundcube-core.postinst to spew /usr/bin/which: this version of `which' is deprecated; use `command -v' in scripts instead. Here is a trivial patch following the suggested workaround from the debianutils maintainer. Thanks Cheers, -- Guilhem. commit ea58773e4ca

Bug#994486: cryptsetup-initramfs: include askpass only when needed?

Hi, On Thu, 16 Sep 2021 at 17:41:17 +0200, Christoph Anton Mitterer wrote: > I think it would be nice if askpass was only included when actually > needed. What does “would be nice” means concretely, is there anything else than the slightly smaller initramfs image? Personally I'm not against

Bug#994486: cryptsetup-initramfs: include askpass only when needed?

On Sun, 03 Oct 2021 at 00:03:17 +0200, Christoph Anton Mitterer wrote: > It's like you say in the other bugs... people cannot rely on non- > documented features, and you're right there - otherwise you could > barely make any changes. We could also rename internal functions, variables, and paths

Bug#994486: cryptsetup-initramfs: include askpass only when needed?

On Thu, 16 Sep 2021 at 17:41:17 +0200, Christoph Anton Mitterer wrote: > I think it would be nice if askpass was only included when actually > needed. > > That seems to be the case, when no keyscript is set, and the KEY field is > none, > cause: > […] > Does the attached patch seem reasonable

Bug#993374: cryptsetup: cryptdisks_* completion scripts depend on mawk

Control: tag -1 moreinfo On Tue, 31 Aug 2021 at 16:05:27 +0200, Christoph Anton Mitterer wrote: > The cryptdisks_* completion scripts seems to depend on mawk. > > Would it be possible to make this compatible with the other awk > implementations > in Debian (gawk/original-awk)? mawk has

Bug#993374: cryptsetup: cryptdisks_* completion scripts depend on mawk

Control: tag -1 = pending On Mon, 04 Oct 2021 at 00:09:41 +0200, Christoph Anton Mitterer wrote: > On Sun, 2021-10-03 at 22:14 +0200, Guilhem Moulin wrote: >> mawk has ‘Priority: required’ and is expressive enough for this >> use-case.  Why should we use something else? > >

Bug#993374: cryptsetup: cryptdisks_* completion scripts depend on mawk

On Mon, 04 Oct 2021 at 01:17:36 +0200, Christoph Anton Mitterer wrote: > And as you said, since we only use the POSIX subset, I thought it would > be an improvement to use awk, and not fail in even the above situation. I don't recall why I used mawk in b0b8e3e88fecf2f8f5f5a3ad39b68e56a9e53427,

Bug#995725: dropbear-initramfs: connection between ssh client and dropbear times out

On Mon, 04 Oct 2021 at 13:28:12 -0700, Arnout Boelens wrote: > My bad. I meant to say I can ping the server. But I cannot connect to port > . You probably have a firewall on the way blocking the connection. Assuming 22/tcp is open you can tell dropbear to use that instead. -- Guilhem.

Bug#995725: dropbear-initramfs: connection between ssh client and dropbear times out

Control: tag -1 moreinfo On Mon, 04 Oct 2021 at 10:32:49 -0700, Arnout Boelens wrote: > I can ping my server on port . Not sure what you mean here, there is no port in ICMP. Do you see the dropbear greeting when you connect to your server on /tcp? -- Guilhem. signature.asc

Bug#901795: cryptsetup-initramfs: please provide documented shell functions to validate/sanitize cryptroot entries in 3rd party hook files

On Mon, 27 Sep 2021 at 02:56:26 +0200, Christoph Anton Mitterer wrote: > Thus I cannot implement my own unescaping. Why not? _CRYTTAB_* is useful to copy a crypttab snippet to another location, but as said before you don't need it to produce your own parsing logic. You can use another character

Bug#901795: cryptsetup-initramfs: please provide documented shell functions to validate/sanitize cryptroot entries in 3rd party hook files

On Mon, 27 Sep 2021 at 18:21:47 +0200, Christoph Anton Mitterer wrote: > But why on earth should one want to do any of that? Because the field is opaque, and the key=value list format might not make sense for keyscripts. -- Guilhem. signature.asc Description: PGP signature

Bug#901795: cryptsetup-initramfs: please provide documented shell functions to validate/sanitize cryptroot entries in 3rd party hook files

On Mon, 27 Sep 2021 at 19:21:45 +0200, Christoph Anton Mitterer wrote: > On Mon, 2021-09-27 at 18:37 +0200, Guilhem Moulin wrote: >> Because the field is opaque, and the key=value list format might not >> make sense for keyscripts. > > Well sure you can define it that wa

Bug#997809: roundcube: Delay migration into testing

Source: roundcube Version: 1.5.0+dfsg.1-2 Severity: serious Given the large changelog it's probably best to let 1.5 mature in unstable and delay its entry into testing by a week or so. With the DEP8 tests urgency=medium means migration after only 2 days which is definitely too short here. Meant

Bug#1002880: signing-party: caff defaults to retired pool.sks-keyservers.net

Hi, On Thu, 30 Dec 2021 at 17:05:39 -0500, Aaron M. Ucko wrote: > caff has historically defaulted to looking keys up on > pool.sks-keyservers.net $CONFIG{'keyserver'} is deprecated since 2.3-1, and the default is to use the keyserver in ~/.caff/gnupghome/gpg.conf, falling back to the option

Bug#1003027: roundcube: XSS vulnerability via HTML messages with malicious CSS content

Package: roundcube Severity: important Tags: security Control: found -1 1.3.17+dfsg.1-1~deb10u1 Control: found -1 1.4.12+dfsg.1-1~deb11u1 Control: fixed -1 1.5.1+dfsg-1 In a recent post roundcube webmail upstream has announced a fix for a cross-site scripting (XSS) vulnerability via HTML messages

Bug#1003027: roundcube: XSS vulnerability via HTML messages with malicious CSS content

Control: notfixed -1 1.5.1+dfsg-1 Control: found -1 1.5.1+dfsg-1 Hi Salvatore! On Mon, 03 Jan 2022 at 09:47:28 +0100, Salvatore Bonaccorso wrote: > On Sun, Jan 02, 2022 at 10:50:25PM +0100, Guilhem Moulin wrote: >> Package: roundcube >> Severity: important >> Tags: security

Bug#1003027: roundcube: XSS vulnerability via HTML messages with malicious CSS content

Hi carnil, On Wed, 05 Jan 2022 at 20:49:35 +0100, Salvatore Bonaccorso wrote: > FTR, have not yet heard back on the assignment. We can wait a bit > longer, but just wanted to say we do not necessarily need to block on > the missing assignment if we want to release the DSA earlier. The > issue is

Bug#1000156: roundcube: XSS vulnerability in handling attachment filename extension in MIME type mismatch warnings

Source: roundcube Severity: important Tags: security Control: found -1 1.3.16+dfsg.1-1~deb10u1 Control: found -1 1.4.11+dfsg.1-4 Control: fixed -1 1.5.0+dfsg.1-1 In a recent post roundcube webmail upstream has announced the following security fixes: * Fix XSS issue in handling attachment

Bug#999815: cryptsetup - build-depends on removed package.

On Thu, 18 Nov 2021 at 23:13:59 +0100, Christian Göttsche wrote: > A quick test build without those two build-dependencies resulted in > identical binary packages. They are currently pulled transitively by libdevmapper-dev, so removing them from the explicit Build-Depends doesn't yield a

Bug#1000642: roundcube: Failing test with PHP 8.1

Control: forwarded -1 https://github.com/roundcube/roundcubemail/issues/8151 Control: tag -1 upstream Hi taffit! On Fri, 26 Nov 2021 at 06:41:47 -0400, David Prévot wrote: > PHP 8.1 is now the default in experimental (soon in testing), and the > command1 autopkgtest is failing in this

Bug#1000642: roundcube: Failing test with PHP 8.1

On Thu, 02 Dec 2021 at 17:22:09 +, debian-bts-link wrote > # remote status report for #1000642 (http://bugs.debian.org/1000642) > # Bug title: roundcube: Failing test with PHP 8.1 > # * https://github.com/roundcube/roundcubemail/issues/8151 > # * remote status changed: (?) -> closed > # *

Bug#1003686: CVE-2021-4122: cryptsetup 2.x: decryption through LUKS2 reencryption crash recovery

Source: cryptsetup Severity: grave Tags: security upstream Justification: root security hole Control: found -1 2:2.3.5-1 Control: found -1 2:2.4.2-1 X-Debbugs-Cc: Debian Security Team Quoting : | CVE-2021-4122 describes a possible attack against data

Bug#1003615: ITP: php-bacon-bacon-qr-code -- QR code generator for PHP

Package: wnpp Severity: wishlist Owner: Guilhem Moulin X-Debbugs-Cc: debian-de...@lists.debian.org * Package name: php-bacon-bacon-qr-code Version : 2.0.4 Upstream Author : Ben Scholzen 'DASPRiD' * URL : https://github.com/Bacon/BaconQrCode * License : BSD-2

Bug#1003615: ITP: php-bacon-bacon-qr-code -- QR code generator for PHP

On Wed, 12 Jan 2022 at 18:10:18 +0100, Guilhem Moulin wrote: > * Package name: php-bacon-bacon-qr-code > Version : 2.0.4 > Upstream Author : Ben Scholzen 'DASPRiD' > * URL : https://github.com/Bacon/BaconQrCode > * License : BSD-2-Clause > Pro

Bug#1003633: ITP: php-roundcube-rtf-html-php -- RTF to HTML converter in PHP

Package: wnpp Severity: wishlist Owner: Guilhem Moulin X-Debbugs-Cc: debian-de...@lists.debian.org * Package name: php-roundcube-rtf-html-php Version : 2.1 Upstream Author : Alexander van Oostenrijk , Aleksander Machniak * URL : https

Bug#1000593: Failing testsuite with PHP 8.1

Hi taffit, On Thu, 25 Nov 2021 at 11:50:24 -0400, David Prévot wrote: > There is a new upstream version (1.2.4), but I quickly checked that > two failures (first and last) still happen. (It’s also not a PEAR > package anymore, so need some work to convert the packaging to its > Composer source).

Bug#1006802: cryptdisks_stop should process crtypttab entries in reverse order

Control: tag -1 moreinfo On Sat, 05 Mar 2022 at 13:13:57 +0100, Guenther Brunthaler wrote: > When creating nested dmcrypt mappings in /etc/crtypttab, > cryptdisks_start processes them from top to bottom. I believe cryptdisks_start(8) and cryptdisks_stop(8) processes mappings in the order given

Bug#1006802: cryptdisks_stop should process crtypttab entries in reverse order

Control: retitle -1 `/etc/init.d/cryptdisks stop` should safely traverse nested block device stacks Control: tag -1 - moreinfo On Sat, 05 Mar 2022 at 16:54:07 +0100, Guenther Brunthaler wrote: > which is exactly the same as do_start() does. And hence the entries are > processed in the same order

Bug#1007236: php-symfony-polyfill-mbstring shouldn't provide php-mbstring

Package: php-symfony-polyfill-mbstring Version: 1.25.0-1 Severity: normal Dear Maintainer, $ apt show php-symfony-polyfill-mbstring Package: php-symfony-polyfill-mbstring Version: 1.25.0-1 […] Provides: php-mbstring […] Description: Symfony polyfill for the Mbstring

Bug#1007236: php-symfony-polyfill-mbstring shouldn't provide php-mbstring

On Mon, 14 Mar 2022 at 12:05:20 +0100, David Prévot wrote: >> That Provides: causes roundcube 1.6~beta+dfsg-1 to FTBFS on the buildds [0]. > > I had the same problem with two other packages (in experimental only). I’m > pretty busy currently, but feel free to push a fix via a team upload or an >

Bug#1006802: cryptdisks_stop should process crtypttab entries in reverse order

Control: tag -1 pending On Sat, 05 Mar 2022 at 17:17:07 +0100, Guilhem Moulin wrote: > For do_start() we're reading crypttab(5) sequentially as we don't have > enough information about nesting, however for do_stop() we have that > information in the mapping table, so no need to reverse c

Bug#1006010: bullseye-pu: package php-crypt-gpg/1.6.4-2+deb11u1

ci.yml: Target Bullseye release. + + -- Guilhem Moulin Fri, 18 Feb 2022 22:17:29 +0100 + php-crypt-gpg (1.6.4-2) unstable; urgency=medium * Require phpunit ≥8 in Build-Depends. diff -Nru php-crypt-gpg-1.6.4/debian/gbp.conf php-crypt-gpg-1.6.4/debian/gbp.conf --- php-crypt-gpg-1.6.4/debian/gb

Bug#1006028: php-crypt-gpg: FTBFS: PHPUnit\Framework\Exception: PHP Fatal error: Uncaught Crypt_GPG_BadPassphraseException: Cannot export private key. Incorrect passphrase provided for keys: "First Ke

Control: tag -1 moreinfo On Sat, 19 Feb 2022 at 07:38:04 +0100, Lucas Nussbaum wrote: > During a rebuild of all packages in sid, your package failed to build > on amd64. Seems like a false-positive to me. It does build here, and also did build on the buildds [0] (and Salsa CI too). Perhaps

Bug#1005921: CVE-2022-24953: Crypt_GPG <1.6.7 does not prevent additional options in GPG calls

Source: php-crypt-gpg Version: 1.6.6-1 Severity: important Tags: security upstream Control: found -1 1.6.4-2 Control: found -1 1.6.6-1 Crypt_GPG upstream recently published for CVE-2022-24953: “The Crypt_GPG extension before 1.6.7 for PHP does not prevent additional options in GPG calls, which

Bug#955384: Fixed upstream?

Control: tag -1 fixed-upstream On Thu, 31 Mar 2022 at 21:12:30 +0200, Diederik de Haas wrote: > https://github.com/mkj/dropbear/commit/3189d12c9fd166ff6ece57b3d847af9d99d8b813 > seems to indicate that the issue was fixed a couple of days ago. > There are other commits that are related and

Bug#1007998: release-notes: netcat-openbsd incompatibilities

Package: release-notes Severity: wishlist Hi there, netcat-openbsd 1.218-5 adds support for abstract sockets (on Linux), which is a breaking change with possible security implications: https://sources.debian.org/src/netcat-openbsd/1.218-5/debian/NEWS/ . elbrus suggested to mention that in the

Bug#1004203: closed by Scott Kitterman (Re: RM: src:php-bacon-bacon-qr-code -- ROM; duplicate (already in Debian))

Control: retitle -1 src:php-bacon-bacon-qr-code -- ROM; duplicate (already in Debian) On Sat, 29 Jan 2022 at 18:25:42 +, Adam D. Barratt wrote: > On Sat, 2022-01-29 at 18:41 +0100, Guilhem Moulin wrote: >>> Appears it was already removed. >> >> Was it? 5 days

Bug#1004203: closed by Scott Kitterman (Re: RM: src:php-bacon-bacon-qr-code -- ROM; duplicate (already in Debian))

Control: reopen -1 On Mon, 24 Jan 2022 at 14:39:11 +, Debian Bug Tracking System wrote: >> I mixed things up when filing https://bugs.debian.org/1003615 , and >> unfortunately didn't notice before the upload entered NEW. Per >> : >> >> | Please ignore my upload: turns out the package is

Bug#1003685: What about bullseye ?

Hi, On Sun, 30 Jan 2022 at 21:23:55 +0100, Rogier wrote: > I am a bit surprised that this bug has been closed, even > though it has not yet been fixed in bullseye. That's how the BTS works. It's marked as fixed cryptsetup/2:2.4.3-1 (bookworm, unstable), but still marked as found in

Bug#1003951: DROPBEAR_OPTIONS is silently ignored when missing quotes

Hi Lee, On Wed, 19 Jan 2022 at 14:45:47 +0100, Lee Garrett wrote: > Ah, I wasn't aware that it was directly sourced by a shell. This makes > much more sense now. I see, then I guess it needs to be clarified indeed. Made an attempt at

Bug#1003951: DROPBEAR_OPTIONS is silently ignored when missing quotes

Control: severity -1 minor Hi, On Tue, 18 Jan 2022 at 15:58:43 +0100, Lee Garrett wrote: > A low-effort fix would be to change the shipped config to > # DROPBEAR_OPTIONS="" > to indicate that they're required. Ideally the initramfs hook should either > fail > when unquoted, or accept the full

Bug#1004203: RM: src:php-bacon-bacon-qr-code -- ROM; duplicate (already in Debian)

Package: ftp.debian.org Severity: normal I mixed things up when filing https://bugs.debian.org/1003615 , and unfortunately didn't notice before the upload entered NEW. Per : | Please ignore my upload: turns out the package is already in Debian, my | bad… Sorry for the trouble! So please

Bug#1009163: import-orig: please make --upstream-vcs-tag=%(version)s strip +dfsg/+ds repack suffixes

Package: git-buildpackage Version: 0.9.25 Severity: wishlist Dear Maintainer, `gpg import-orig --upstream-vcs-tag=%(version)s` is great, however the substitution doesn't work well will repack suffixes such as +dfsg or +ds. Perhaps ‘%(version)s’ shouldn't unconditionally strip repack suffixes,

Bug#1009062: CVE-2019-12953: inconsistent failure delay that may lead to revealing valid usernames

Source: dropbear Version: 2011.54-1 Severity: important Tags: security Control: found -1 2016.74-5+deb9u1 Control: found -1 2018.76-5 Control: fixed -1 2019.78-1 CVE-2019-12953: Dropbear 2011.54 through 2018.76 has an inconsistent failure delay that may lead to revealing valid usernames. This is

Bug#1009065: buster-pu: package dropbear/2018.76-5+deb10u1

password length to +100 bytes. (Closes: #1009062.) +Cherry-picked from https://hg.ucc.asn.au/dropbear/rev/228b086794b7 . + * d/gbp.conf: Set debian-branch = debian/buster. + + -- Guilhem Moulin Wed, 06 Apr 2022 20:54:24 +0200 + dropbear (2018.76-5) unstable; urgency=medium * Put custo

Bug#1054079: roundcube: cross-site scripting (XSS) vulnerability in handling of SVG in HTML messages

Source: roundcube Version: 1.6.3+dfsg-2 Severity: important Tags: security upstream Control: found -1 1.3.17+dfsg.1-1~deb10u3 Control: found -1 1.4.14+dfsg.1-1~deb11u1 Control: found -1 1.6.3+dfsg-1~deb12u1 Control: forwarded -1 https://github.com/roundcube/roundcubemail/issues/9168 In a recent

Bug#1055421: roundcube: cross-site scripting (XSS) vulnerability in setting Content-Type/Content-Disposition for attachment preview/download

Source: roundcube Version: 1.6.4+dfsg-1 Severity: important Control: found -1 1.6.4+dfsg-1~deb12u1 Tags: security upstream Roundcube webmail upstream has recently released 1.6.5 which fixes the following vulnerability: * Fix cross-site scripting (XSS) vulnerability in setting

Bug#1055489: roundcube-plugins: File 'opengpg.js.min' for the 'enigma' plugin is missing

Control: tag -1 wontfix Hi, On Tue, 07 Nov 2023 at 10:38:49 +0100, Marco Emilio Poleggi wrote: > It looks like the file 'opengpg.js.min' for the 'enigma' plugin is > missing. This is intentional, see roundcube-plugins.NEWS:

Bug#1052547: unable to boot, no luks passwort prompt shown

Control: tag -1 + moreinfo unreproducible Hi, On Sun, 24 Sep 2023 at 14:42:27 +0200, Eduard Bloch wrote: > we have a problem here. After latest upgrades, I am no longer able to > boot into a system with LUKS-encrypted rootfs. This worked just fine a few > weeks ago. I jumped in circles in the

Bug#1052290: cryptsetup-initramfs: askpass is not executed; cryptroot-unlock fails

Control: tag -1 moreinfo On Tue, 19 Sep 2023 at 22:39:40 +0100, Tj wrote: > On reaching initialramfs it fails to unlock either of the LUKS devices; > eventually dropping to the shell after reporting: > > Error: Timeout reached while waiting for askpass. > > After using `break=mount` and

Bug#1052156: cryptsetup: please (temporarily) disable cryptroot-sysvinit autopkgtest

Control: tag -1 moreinfo Hi, On Mon, 18 Sep 2023 at 10:46:30 +0100, Luca Boccassi wrote: > With sysvinit scripts no longer being mandatory, the udev one has been > removed from src:systemd. It is in the process of being adopted by > src:sysvinit, but being optional and all that might take some

Bug#1052238: [pkg-php-pear] Bug#1052238: php-net-smtp: Please, consider this email address

On Thu, 21 Sep 2023 at 13:58:18 +0200, J.L. Fernandez Jambrina wrote: > Unfortunatelly I don't know how to use setDebug() to see what's is > being passed to send() Please see https://github.com/pear/Net_SMTP#debugging to debug Net_SMTP. > but I used two calls to var_dump() to see it: AFAICT

Bug#1052059: roundcube: Please apply security fix from 1.6.3

I requested a CVE ID for this issue. -- Guilhem. signature.asc Description: PGP signature

Bug#1052059: roundcube: Please apply security fix from 1.6.3

On Fri, 22 Sep 2023 at 10:56:59 +0300, Guilhem Moulin wrote: > I'll suggest debdiffs targetting {bullseye,bookworm}-security after > the week-end. Oh, didn't see the Security Team tagged this as no-dsa. Will target {bullseye,bookworm} then. -- Guilhem. signature.asc Descriptio

Bug#1052059: roundcube: Please apply security fix from 1.6.3

Control: retitle -1 roundcube: CVE-2023-43770: XSS vulnerability in handling of linkrefs in plain text messages On Mon, 18 Sep 2023 at 13:59:47 +0200, Guilhem Moulin wrote: > I requested a CVE ID for this issue. CVE-2023-43770 for this. I'll suggest debdiffs targetting {bullseye,bookw

Bug#1052059: bookworm-pu?

On Thu, 28 Sep 2023 at 18:26:07 +0300, Martin Dosch via Pkg-roundcube-maintainers wrote: > Are there plans to also upload it to stable-pu? See #1052629 -- Guilhem.

Bug#1052629: bookworm-pu: package roundcube/1.6.3+dfsg-1~deb12u1

On Thu, 28 Sep 2023 at 18:53:46 +0100, Adam D. Barratt wrote: > --- a/CHANGELOG.md > +++ b/CHANGELOG.md > @@ -1,5 +1,54 @@ > # Changelog Roundcube Webmail > > +## Unreleased > + > > That seems wrong, given that you're uploading a released version. Well spotted but that one is upstream's, see

Bug#1052611: bullseye-pu: package roundcube/1.4.14+dfsg.1-1~deb11u1

ency=high + + * New security/bugfix upstream release: ++ Fix CVE-2023-43770: cross-site scripting (XSS) vulnerability in handling + of linkrefs in plain text messages. (Closes: #1052059) ++ Enigma: Fix initial synchronization of private keys. + * d/u/signing-key.asc: Add Alec's key BE

Bug#1052238: php-net-smtp: fails to send MIME multipart email properly

Control: tag -1 moreinfo Hi, On Tue, 19 Sep 2023 at 12:42:34 +0200, J.L. Fernandez Jambrina wrote: > As php-mail didn't change in the upgrade and I verified the arguments > to the MAIL::send method are the same in both cases I suspect from the > underlying php-net-smtp package, but I can be

Bug#1050680: yubikey-luks: Depends on removed package cryptsetup-run

On Mon, 28 Aug 2023 at 01:56:04 +0200, Guilhem Moulin wrote: > cryptsetup-run has been a transitional package since the buster release, > and has now been removed following #1038285. Looks like I failed to > properly check reverse depends; yubikey-luks should replace ‘Depends: > cr

Bug#1050680: yubikey-luks: Depends on removed package cryptsetup-run

Source: yubikey-luks Version: 0.5.1+29.g5df2b95-6.1 Severity: serious Hi, cryptsetup-run has been a transitional package since the buster release, and has now been removed following #1038285. Looks like I failed to properly check reverse depends; yubikey-luks should replace ‘Depends:

Bug#1011754: interimap: autopkgtest failure with openssl 3

On Thu, 26 May 2022 at 12:39:51 +0200, Sebastian Ramacher wrote: > interimap's autopkgtests fail with openssl 3: I believe this is due to #1011038 and/or #1011051. AFAICT nothing needs doing on the interimap side while these are open. Leaving -1 open though so no one files a duplicate. --

Bug#1013918: lintian: False positive: `chown --reference=foo bar.baz` triggers chown-with-dot

Package: lintian Version: 2.115.1 Severity: normal Dear Maintainer, roundcube-core's postinst contains chown --reference="$CONFFILE" "$CONFFILE.ucftmp" which triggers a false positive with tag chown-with-dot. Indeed "chown --reference=foo bar.baz" matches m{ \b chown \s+ (?: -\S+ \s+

Bug#1014178: autopkgtest: System state isn't reset between tests (test result depends on earlier tests)

Package: autopkgtest Version: 5.22 Severity: important Dear Maintainer, While running two tests with autopkgtest-build-qemu I was surprised to see the database created from the first one not being wiped before running the other test. $ cat debian/tests/control Test-Command: date -R |

Bug#1013969: debhelper: dh_installtmpfiles(1) postinst snippets should run without /run/systemd/system

Package: debhelper Version: 13.7.1 Severity: wishlist Dear Maintainer, The roundcube packages ships a temporary directory which is cleaned via cronjobs and which I'd like to define via tmpfiles.d(5) instead. debhelper 13.7.1 adds the following snippet to the postinst script: # Automatically

Bug#1010338: autopkgtest: Option --test-name and debian/tests/control test-name raise exception

Package: autopkgtest Version: 5.22 Followup-For: Bug #1010338 Unfortunately the exception is also triggered for non-fatal errors: $ cat debian/tests/control.crash Test-Command: /bin/true Depends: coreutils Restrictions: isolation-machine Test-Command: /bin/true Depends:

Bug#1015732: piuparts: scripts/pre_install_database-server doesn't work when piuparts is fed a .changes or .deb

Package: piuparts Version: 1.1.5 Severity: normal File: /etc/piuparts/scripts/pre_install_database-server Tags: patch Dear Maintainer, Piuparts scripts in /etc/piuparts/scripts/* case match over ${PIUPARTS_OBJECTS%%=*}, which works on piuparts.d.o (which calls piuparts with `--apt

Bug#1015287: dropbear-initramfs: Configure dropbear to use VLAN

Control: reassign -1 initramfs-tools-core On Mon, 18 Jul 2022 at 22:17:09 +0100, Graham Cobb wrote: > I have it working on one system but when I try to use it on a second system > it doesn't work. > This second system is a server which is connected directly to a VLAN trunk, > so the IP config >

Bug#1015762: roundcube-core: Cannot be installed without pulling apache

On Wed, 20 Jul 2022 at 15:57:08 -0400, Philippe Clérié wrote: > Ok. That looks like it works. > > It simply would never have occurred to me to add php to php-fpm. Fair enough, it's arguably an issue in APT's dependency resolver: $ apt show roundcube-core […] Depends: […],

Bug#1015762: roundcube-core: Cannot be installed without pulling apache

On Thu, 21 Jul 2022 at 07:10:27 -0400, Philippe Clérié wrote: > I would like to test that. Well you can build the package from git and try to install the .deb :-) FWIW the aforementioned patch also removes ‘Depends: php’ from the ‘lighttpd’ and ‘hardening-dedicated-user’ DEP-8 tests, and neither

<    4   5   6   7   8   9   10   11   >